May 2022 Patch Tuesday: Six Critical CVEs Fixed and a Windows Vulnerability Actively Exploited

Microsoft has released 73 security patches for its May Patch Tuesday rollout. One of the 73 CVEs addressed, Windows LSA Spoofing Vulnerability CVE-2022-26925, is ranked as Important and is under active exploitation. In this blog, the CrowdStrike Falcon® Spotlight™ team offers an analysis on this month’s vulnerabilities, highlighting those that are most severe and recommending how to prioritize patching. 

Two Important Vulnerabilities: LSA Spoofing CVE and Microsoft Exchange Server CVE

Two vulnerabilities involving LSA Spoofing and Microsoft Exchange Server received CVSS scores of 8.1 and 8.2 respectively and a rank of Important. Nonetheless, these vulnerabilities are relevant to any organization using the affected products. 

CVE-2022-26925: Windows LSA spoofing vulnerability, could allow an unauthenticated attacker to force a domain controller to authenticate against another server using Windows New Technology LAN Manager (NTLM). Microsoft notes this would be a CVSS 9.8 if combined with NTLM relay attacks, making this vulnerability potentially more severe. In addition to updating with the offered patch, sysadmins should review KB5005413 and Advisory ADV210003 to see what additional measures can be taken to prevent NTLM relay attacks. 

CVE-2022-21978: Microsoft Exchange Server elevation of privilege vulnerability. Ranked as Important with a CVSS of 8.2, this vulnerability could allow an attacker with elevated privileges on the Exchange server to gain the rights of a Domain Administrator. This could allow access and controls outside of the expected scope of the targeted functionality. Additional steps should be taken in addition to applying the patch. For more details refer to this Microsoft guidance.

Rank CVSS Score CVE Description
Important 8.1 CVE-2022-26925 Windows LSA Spoofing Vulnerability
Important 8.2 CVE-2022-21978 Microsoft Exchange Server Elevation of Privilege Vulnerability

May 2022 Risk Analysis

The top three attack types — remote code execution (RCE), elevation of privilege and information disclosure — continue to dominate, with denial of service following at 8% (the same percentage as in April 2022).

Figure 1. Breakdown of May 2022 Patch Tuesday attack types

The affected product families, however, differ greatly from last month. In May 2022, Developer Tools, including Visual Studio Code,Visual Studio 2019 and 2022, as well as Microsoft .NET Framework, saw a significant decrease in vulnerabilities patched. Microsoft Windows received the most patches this month, with Extended Security Updates following close behind. A single Microsoft Exchange update was also included in this month’s patching list. 

Figure 2. Breakdown of May 2022 Patch Tuesday affected product families

Critical Vulnerabilities Affecting Active Directory, NFS and More

Six vulnerabilities ranked as Critical received patches this month across a number of Microsoft products, most notably for Windows Network File System (NFS), Kerberos and Active Directory. Let’s review each of these vulnerabilities and how they could affect an organization’s environment. 

CVE-2022-26923: This Active Directory Domain Services elevation of privilege vulnerability with a CVSS of 8.8 exists within the issuance of certificates. By including crafted data in a certificate request, an attacker can obtain a certificate that allows them to authenticate to a domain controller with a high level of privilege. Essentially any domain authenticated user can become a domain admin if Active Directory Certificate Services are running on the domain.

CVE-2022-26937: This Windows Network File System remote code execution vulnerability with a CVSS of 9.8 could allow remote, unauthenticated attackers to execute code in the context of the Network File System (NFS) service on affected systems. NFS isn’t on by default, but it’s prevalent in environments where Windows systems are mixed with other operating systems such as Linux or Unix.

Rank CVSS Score CVE Description
Critical 8.8 CVE-2022-26923 Active Directory Domain Services Elevation of Privilege Vulnerability
Critical 8.1 CVE-2022-21972 Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2022-23270 Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.8 CVE-2022-22017 Remote Desktop Client Remote Code Execution Vulnerability
Critical 7.5 CVE-2022-26931 Windows Kerberos Elevation of Privilege Vulnerability
Critical 9.8 CVE-2022-26937 Windows Network File System Remote Code Execution Vulnerability

Ten Windows LDAP Remote Code Execution Vulnerabilities

Ten RCE vulnerabilities affecting Windows Lightweight Directory Access Protocol (LDAP) received patches this month. All are ranked as Important, with two vulnerabilities that warrant additional attention: CVE-2022-22012 and CVE-2022-29130. The highest-ranked LDAP bugs, with a CVSS of 9.8, are only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable. Successful exploitation could result in the attacker’s code running in the context of the SYSTEM account.

Rank CVSS Score CVE Description
Important 9.8 CVE-2022-22012 Windows LDAP Remote Code Execution Vulnerability
Important 9.8 CVE-2022-29130 Windows LDAP Remote Code Execution Vulnerability
Important 8.8 CVE-2022-22013 Windows LDAP Remote Code Execution Vulnerability
Important 8.8 CVE-2022-22014 Windows LDAP Remote Code Execution Vulnerability
Important 8.8 CVE-2022-29128 Windows LDAP Remote Code Execution Vulnerability
Important 8.8 CVE-2022-29129 Windows LDAP Remote Code Execution Vulnerability
Important 8.8 CVE-2022-29131 Windows LDAP Remote Code Execution Vulnerability
Important 8.8 CVE-2022-29137 Windows LDAP Remote Code Execution Vulnerability
Important 8.8 CVE-2022-29139 Windows LDAP Remote Code Execution Vulnerability
Important 8.8 CVE-2022-29141 Windows LDAP Remote Code Execution Vulnerability

More Print Spooler Vulnerabilities

Four out of the 17 information disclosure vulnerabilities patched in this month’s release impact Print Spooler, with CVSS scores ranging between 5.5 and 7.8. These bugs result from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage these vulnerabilities to disclose information in the context of SYSTEM. Most of the other information disclosure bugs in this release only result in leaks consisting of unspecified memory contents.

Adversaries Are Becoming More Sophisticated — Your Patching Strategy Should Too

Adversaries are becoming more crafty and diligent in their efforts to exploit vulnerabilities, as discussed in the CrowdStrike 2022 Global Threat Report and reflected in the recent update to Cybersecurity and Infrastructure Security Agency’s (CISA) Known Vulnerabilities Catalog. Although Microsoft offers patches to some systems on a monthly basis, your organization may be using other operating systems and applications, and those are just as likely to be exploited. 

CrowdStrike always recommends reviewing your patching strategy and the methodology behind what gets patched first, but how to get it done often frustrates SecOps teams. That’s why we developed Falcon Spotlight ExPRT.AI: to succinctly predict which vulnerabilities pose the most risk to your environment so that you are able to patch before an attacker can penetrate your systems. Falcon Spotlight ExPRT.AI provides valuable data and insights for a more accurate understanding of how these vulnerabilities could affect your environment. This solution utilizes the intelligence of an always adapting AI model to help your team address the onslaught of vulnerabilities that must be reviewed every month. It can make a dramatic difference for your team and for protecting your organization — see how it can help you in this video

Learn More

This video on Falcon Spotlight™ vulnerability management shows how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization. 

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

Related Content